OPINION: A troubling article in Forbes raises concerns about how society takes care of those who raise legitimate, well-founded concerns about their employers. Aside from the specific legal decision in this particular case, there is a wider issue about protecting whistleblowers from retribution. If a whistleblowing employee makes allegations of serious impropriety by his employer, and those allegations are upheld, is it reasonable for him/her to insist on remaining employed by the organization? A few enlightened managements might swallow their pride and allow the whistleblowing employee to carry on normally in employment but I strongly suspect that in most cases continued employment is simply untenable - relationships have probably been irreparably damaged and consequently the whistleblower may no longer be able to function within the organization in practice.
It seems to me there are just two options:
- Don't expect employees to blow the whistle on their employers, but rely solely on other governance, compliance and enforcement activities, such as external audits. This would be bad for society because insiders often have direct knowledge of impropriety that is invisible to, or hidden from, outsiders (remember Barings Bank? Does Enron ring a bell?) ... Or ...
- Protect whistleblowers.
Ensuring whistleblowers' continued employment with the same employer may not be sensible in all cases - in other words, whistleblowers should not have unrealistic expectations of being able to continue in employment with the same organization following a major disclosure. However, it may be possible to reward whistleblowers with, say, a cut of any fine imposed on their (former) employer, acting as both a financial incentive to blow the whistle and a way to soften the blow of being 'let go' afterwards, if/when that happens. Furthermore, professional bodies such as (ISC)2 and ISACA should, I feel, make special provisions to support any of their members who are placed in such a difficult position. I'm talking about, for example, mechanisms to handle whistleblowing allegations on behalf of their members, and if appropriate providing legal backing to ensure that their members are treated fairly. Perhaps offering a professional award to recognize members who legitimately blow the whistle despite the personal risk might help them find future employment with organizations that are open-minded enough to welcome them in.
Gary Hinson CISSP
PS Thanks to Anton Aylward for pointing out the Forbes piece on CISSPforum. If you are a CISSP but don't belong to CISSPforum, you're missing out on a valuable benefit.